Security Incident Frequently Asked Questions
Due to a vulnerability in a storage system, files containing sensitive data including Personally Identifiable Information were stored in a manner that may have allowed unauthorized users to access the files in question from April 2009 to September 2012. Upon identification of the vulnerability, the university took steps to correct the problem, and implemented additional safeguards and controls to protect the university’s information assets.
What information was exposed?
The exposed data involved people connected to the university and includes names, addresses, social security numbers, and/or financial account information provided in association with transactions with the university. The information was gathered in several ways, including when prospective students applied to the university, when they or their guardians filled out financial aid forms, or when the university purchased lists of items like SAT scores. The vulnerable information goes back to 1999.
How many people were affected by the incident?
The files in question contain information of 233,880 individuals.
What actions did the university take?
The university immediately took a number of parallel steps to investigate and remediate the exposure. On Sept. 29, 2012, upon learning about the incident, President Schmotter immediately activated the Board of Regents security incident response plan to address the incident. The university contacted the BOR Information Security & Policy Office to conduct an in-depth and thorough forensics investigation of the incident to determine what happened and identify and remediate security vulnerabilities campus-wide. The university also engaged the Office of the Attorney General to assist in determining how to proceed. Following the investigation and remediation, the university sent notices of the possible exposure.
Does the university have any indication that any person has suffered identity theft as a result of the incident?
At this time, the university has no evidence or reports that the files in question were inappropriately accessed or the information was used for identity theft or another crime. The university will continue to monitor the situation carefully and has enhanced its internal review procedures to watch for unusual activities.
What steps is the university taking to prevent future incidents?
Since discovery of the exposure, the university has dramatically increased its information protection capacity with new layers of protection. The university will continue to assess and improve all aspects of its information security.
Is the university offering any identify protection services to affected individuals?
The university is offering affected individuals two years of free identity protection services through a contract with AllClear ID, a company that provides extensive credit monitoring and related services. If your personal information was contained in the files in question, you will be receiving notification through the postal mail. We also encourage you to obtain copies of your credit report from all three national credit reporting agencies to ensure that your reports are accurate. Information on how to obtain a free copy of your reports can be found at www.annualcreditreport.com.
How do I know if I am affected?
The university has set up a searchable database that contains the names of all affected individuals. Follow the instructions on the website http://www.wcsu.edu/securityincident to find out if your personal information was contained in the files in question. If you are affected, you will be receiving notification through the postal mail.
How can I get more information?
The university and AllClear ID have set up a hotline to answer any questions you might have. You may reach the hotline by calling (855) 731-6012.